CVE-2025-1007 MEDIUM

CVE-2025-1007: Improper Authorization in /user/namespace/{namespace}/details

Vendor Eclipse Foundation
Product OpenVSX
Weakness CWE-285
Published February 19, 2025
Last update February 19, 2025

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

In OpenVSX version v0.9.0 to v0.20.0, the /user/namespace/{namespace}/details API allows a user to edit all namespace details, even if the user is not a namespace Owner or Contributor. The details include: name, description, website, support link and social media links. The same issues existed in /user/namespace/{namespace}/details/logo and allowed a user to change the logo.

Key dates

02Disclosure timeline

February 19, 2025 CVE published
February 19, 2025 Record updated